Description

Jenkins Maven Metadata Plugin for Jenkins CI server Plugin 2.2 and earlier does not perform URL validation for the Repository Base URL of List maven artifact versions parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

Remediation

References

http://www.openwall.com/lists/oss-security/2022/07/27/1

https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-2686

Related Vulnerabilities

CVE-2020-5421 Vulnerability in maven package org.springframework:spring-web

CVE-2022-43426 Vulnerability in maven package io.jenkins.plugins:s3explorer

CVE-2022-3171 Vulnerability in maven package com.google.protobuf:protobuf-java

CVE-2018-1000408 Vulnerability in maven package org.jenkins-ci.main:jenkins-core

CVE-2023-44487 Vulnerability in maven package org.eclipse.jetty.http2:http2-common

Severity

Medium

Classification

CWE-79 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Tags

Mailing List Third Party Advisory Vendor Advisory